package cn.maidouya.hrm.config;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

/**
 *  resource资源授权公共配置中心
 */
@Configuration // 启动配置文件并交给spring管理
@EnableResourceServer // 启动资源服务配置
@EnableGlobalMethodSecurity(prePostEnabled = true) // 开启方法授权在controller注解支持
public class BaseResourceServerConfig extends ResourceServerConfigurerAdapter {
    // 3. 从yml配置获取值 aouth.resourceId与配置层级一致 形成key value
    @Value("${aouth.resourceId}")
    private String resourceId;
    public String getResourceId() {return resourceId;}
    public void setResourceId(String resourceId) {this.resourceId = resourceId;}

    // 1. 资源服务器配置
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        // 获取数据库resource_ids 资源授权
        resources.resourceId(resourceId);
             //   .tokenServices(tokenService());
        resources.tokenStore(tokenStore());
    }
    public static final String sign = "**itsource&……%￥%￥￥";

    private TokenStore tokenStore() {
        JwtTokenStore tokenStore = new JwtTokenStore(tokenConverter());
        return tokenStore;
    }

    @Bean
    public JwtAccessTokenConverter tokenConverter() {
        JwtAccessTokenConverter tokenConverter = new JwtAccessTokenConverter();
        tokenConverter.setSigningKey(sign);
        return tokenConverter;
    }

    // 授权资源远程，调用远程服务项目
    private ResourceServerTokenServices tokenService() {
        RemoteTokenServices services = new RemoteTokenServices();
        // 连接授权服务方  url后段有规定
        services.setCheckTokenEndpointUrl("http://localhost:3010/oauth/check_token");
        // 授权用户和密码
        services.setClientId("admin");
        services.setClientSecret("1");
        return services;
    }

    // 2. security安全配置
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                // 自定义页面
                .antMatchers("loginUser/login").access("#oauth2.hasScope('hrm')")
                // 微信小程序放行
                .antMatchers("/courseDoc/queryCourses").permitAll() // 登录页面路径放行
                //校验scope必须为all ， 对应认证服务的客户端详情配置的clientId
                .antMatchers("/**").access("#oauth2.hasScope('hrm')")



                //关闭跨域伪造检查
                .and().csrf().disable()
                //把session设置为无状态，意思是使用了token，那么session不再做数据的记录
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}